Sunday, November 10, 2013

Started using pfSense, Will Never Go Back

I decided it was time to go over my home office network architecture and make some tweaks. The architecture that I started with is Comcast Business Class service for my ISP, and Windows Server 2008 that serves not only as my domain controller, but also as my NAT router and firewall.
I had an older Windows XP computer that I figured I could still use as a firewall. I did some research on firewall software and chose pfSense. pfSense is a free, open source firewall/router that is built upon FreeBSD. I added a 2nd network card to the Windows XP box and installed pfSense, which replaced Windows XP. So now I have a dedicated firewall, with 2GB of memory and an Intel Pentium Dual E2180 @ 2.00 GHz CPU. I added it to my network and proceeded to do some tests.
One other thing that I did was to add Google's public DNS servers. The first test I ran was a DNS lookup from within pfSense itself. I used the DNS Lookup under the Diagnostics menu to look up a domain name, and I chose the Democracy Now! domain name.

Google's DNS servers are at 8.8.8.8 and 8.8.4.4, while Comcast servers are at 75.75.75.75 and 75.75.76.76.  Google's DNS servers perform much better, so that is an improvement already.
Next, I tested the throughput of my 2 routers - the Windows 2008 box vs the pfSense box. To do this, I used ZDNet's Broadband Speed Test from my workstation computer, which I alternatively configured to use my Windows 2008 box as the gateway and then configured to use my pfSense box as the gateway. With my workstation configured to use the Windows 2008 box, I was getting about 12 to 14 Mbps performance. With the pfSense box, my speed went up to 26 to 29 Mbps performance. Wow, what a performance improvement! I am really kicking myself now just thinking of all the bandwidth I was loosing in my network infrastructure, which translates to lost dollars.
With this new configuration, I also get added security. With pfSense, I installed a package called Snort that adds intrusion detection and prevention. Snort provides alerts for the incoming attacks that it detects. It always amazes me the number of continual attacks there are out in the Internet wilderness.
The moral of this story is, pay attention to your network infrastructure. You may be able to make large improvements in both performance and security. If you have an old computer that works, don't throw it away. Make it into a high performance router.